Security Orchestration, Automation, and Response for Security Analysts (eBook)
338 Seiten
Packt Publishing (Verlag)
978-1-80323-931-6 (ISBN)
What your journey will look like
With the help of this expert-led book, you'll become well versed with SOAR, acquire new skills, and make your organization's security posture more robust.
You'll start with a refresher on the importance of understanding cyber security, diving into why traditional tools are no longer helpful and how SOAR can help.
Next, you'll learn how SOAR works and what its benefits are, including optimized threat intelligence, incident response, and utilizing threat hunting in investigations.
You'll also get to grips with advanced automated scenarios and explore useful tools such as Microsoft Sentinel, Splunk SOAR, and Google Chronicle SOAR.
The final portion of this book will guide you through best practices and case studies that you can implement in real-world scenarios.
By the end of this book, you will be able to successfully automate security tasks, overcome challenges, and stay ahead of threats.
Become a security automation expert and build solutions that save time while making your organization more secureKey FeaturesWhat's insideAn exploration of the SOAR platform's full features to streamline your security operationsLots of automation techniques to improve your investigative abilityActionable advice on how to leverage the capabilities of SOAR technologies such as incident management and automation to improve security postureBook DescriptionWhat your journey will look likeWith the help of this expert-led book, you'll become well versed with SOAR, acquire new skills, and make your organization's security posture more robust. You'll start with a refresher on the importance of understanding cyber security, diving into why traditional tools are no longer helpful and how SOAR can help. Next, you'll learn how SOAR works and what its benefits are, including optimized threat intelligence, incident response, and utilizing threat hunting in investigations. You'll also get to grips with advanced automated scenarios and explore useful tools such as Microsoft Sentinel, Splunk SOAR, and Google Chronicle SOAR. The final portion of this book will guide you through best practices and case studies that you can implement in real-world scenarios. By the end of this book, you will be able to successfully automate security tasks, overcome challenges, and stay ahead of threats.What you will learnReap the general benefits of using the SOAR platformTransform manual investigations into automated scenariosLearn how to manage known false positives and low-severity incidents for faster resolutionExplore tips and tricks using various Microsoft Sentinel playbook actionsGet an overview of tools such as Palo Alto XSOAR, Microsoft Sentinel, and Splunk SOARWho this book is forYou'll get the most out of this book ifYou're a junior SOC engineer, junior SOC analyst, a DevSecOps professional, or anyone working in the security ecosystem who wants to upskill toward automating security tasksYou often feel overwhelmed with security events and incidentsYou have general knowledge of SIEM and SOAR, which is a prerequisiteYou're a beginner, in which case this book will give you a head startYou've been working in the field for a while, in which case you'll add new tools to your arsenal]]>
1
The Current State of Cybersecurity and the Role of SOAR
Ransomware, data leaks, phishing, denial of service… these are some of the terms that everyone, even those who aren’t in the IT industry, will have repeatedly heard in the last few years. Everyone has received an email from a Nigerian prince or some long-lost rich, relative from Africa at least once. These are basic examples of cyberattacks called phishing attacks, which still have an acceptable success rate. If we were to talk about more tailored phishing attacks (common ones being a request to change your password or a notification that your account will be deleted if you don’t click on a link), those have an even better success rate – why is that so? Because bad actors are smart.
The first aspect to consider is that they will use many techniques to make their email seem as legitimate as possible, and the second, which is not connected to IT, is the psychological part. The psychological part manifests itself in a few different ways. It can be someone pretending to be your boss (using spoofing methods), an email containing a sense of urgency, or an email sent at the end of working hours when employee concentration is at its lowest. Because of this, organizations are on the lookout for more advanced systems to help them respond to these in a matter of minutes. That is where Security Orchestration, Automation, and Response (SOAR) comes in to save the day.
In this chapter, we will cover the main aspects of changes within cybersecurity and how those changes impact our everyday lives. A few years back, cyberattacks mainly impacted organizations, but today, their impact is felt by ordinary people as well. And this is something that will not change overnight. As one way of fighting back and improving their security posture, organizations can use many security tools. One of them is SOAR, and we will explain why SOAR is a must in every organization today.
In a nutshell, this chapter will cover the following main topics:
- Traditional versus modern security
- The state of cybersecurity
- What is SOAR?
Traditional versus modern security
Security plays a significant role in our everyday lives. Even from the start of civilization, security played a role in that people built their fortifications. If we go back through history, we can see how people built their fortifications on the top of a hill or on a river fork, or if something of this kind was not applicable, people dug canals around fortifications, built big walls, and so on. All this had one thing in common – the aim of securing the people and their properties against attacks from other tribes or countries.
As those fortifications were built, attackers always sought a way to penetrate those defenses. Some of them were massive attacks directly made on fortifications, sending a single person to breach the front or back entrance or create a diversion.
Probably the most famous of these, with the equivalent in IT appearing every day, is when ancient Greece attacked Troy. Because of Troy’s fortifications, Greece couldn’t penetrate the city, even though they had a massive army and the numbers were on their side. That all changed when Odysseus came upon the idea of a diversion. Greek forces pretended to retreat and left a giant wooden horse as a present from the gods to the people of Troy. And what did they do? The people of Troy took that wooden horse into the city. They didn’t know that Odysseus and his best fighters were hiding inside that wooden horse. In the early morning, while everyone was sleeping, Odysseus and his selected army exited the wooden horse and opened the door for the rest of the army to enter Troy. After that, all the defense mechanisms in place fell apart, and Troy was defeated.
If you are in cybersecurity, even if you don’t know this story about Troy, you will be aware of what a Trojan horse is: a term for malware that misleads users about its true purpose. While it appears to be secure software, it can contain malicious code. It works in much the same way as it did 3,000 years ago.
We can see that many types of historical attacks and defenses are similar throughout history; the only part that changes is how they are performed. We can look at a full army attack on a fortress as a Distributed Denial-of-Service (DDoS) attack, a Trojan horse as a payload being delivered, a ransomware attack as Vikings asking for gold and valuables to halt their attack on Britain, a spyware intrusion as sending a spy to gather information on fortress defenses from the inside, and so on. From a defense perspective, we can see how everyone started with a perimeter defense by building walls or creating a fortress at the top of a hill. Then, they moved to layered defense by adding water canals in front of walls. The best example of a historic, layered defense was Constantinople. It started with a single wall, and in the end, it contained a moat, a low wall, an outer wall, and an inner wall. If we look at cybersecurity, we can see that there was a similar approach with a single barrier to protect the perimeter – a firewall. This was followed by adding additional layers such as DDoS protection, a Web Application Firewall (WAF), antivirus solutions, and so on.
Looking at this parallel, we all can agree that these defense strategies weren’t enough and that even the most robust defenses fell under heavy attack. Even the great Constantinople, probably the city with the best defenses of all time, fell under heavy Ottoman attacks.
Why? As methods of attack evolved faster than methods of defense, it was harder to cover this gap.
The same is true for cybersecurity. As mentioned, we start with perimeter defense and then add layered defense, but even that isn’t sufficient. Methods of attack evolve, and bad actors always find a way to surpass existing systems. One thing is certain: traditional systems are outdated, and many organizations are in the process of updating their cybersecurity as a result.
There are a few reasons why this is happening:
- An important aspect is that people are more aware of how they use their personal information, how it is handled, and how it can be misused. People used to trust websites to use their info internally, but those websites sold that info to advertisement companies. People now expect more rigorous privacy and security for the data they share on websites.
- Second up on the list is reputation. Many organizations that suffer an attack experience a loss of reputation, and in the end, smaller organizations often don’t survive these kinds of attacks. The loss of existing clients and the absence of new ones to replace them affect many small and medium organizations after a cyberattack. Big organizations survive more quickly because of their size, but they suffer heavy losses.
- The third is bankruptcy, which is directly connected to ransomware in most cases. First, you need to pay to decrypt your data, and on top of that, you have the cost of not running your business. Coupled with a loss of clients, this will all bring small and medium organizations to their knees very quickly. In addition, these companies that have suffered a successful cyberattack end up having their information shared on the dark web. Consequently, they are often targeted by even more bad actors with financial gain as their motive.
Today, organizations either need to update their defense strategies to stay ahead of bad actors or risk a significant cybersecurity incident resulting in considerable financial losses – initially or in the long run.
The current state of cybersecurity
The last few years have changed how businesses operate, and standard working will never be the same. Digital transformation and the COVID-19 pandemic have foundationally changed the way that we work. Modern tools for collaboration, such as Microsoft Teams, Slack, Zoom, and so on, make it possible for people to work from any location and still relate to their peers. When the COVID-19 pandemic started, everyone had to work from home. And something that started as a temporary solution has changed how people work permanently. However, it hasn’t just changed the way people are working. It has also changed how people connect and what network they use – it has changed cybersecurity. A traditional perimeter does not help anymore; people are expected to be outside their bubbles, and we must find new ways to protect them. The second thing to consider is that people don’t just use corporate devices to connect to corporate resources: they use personal devices as well.
Creating boundaries is becoming harder and harder, and organizations must find a new way to protect their resources. Traditional systems aren’t enough anymore. The first tools that people are turning to have been available for years in the market, such as Mobile Device Management/Mobile Application Management (MDM/MAM), Multi-Factor Authentication (MFA), Endpoint Detection and Response (EDR) platforms, Data Loss Prevention (DLP), and...
Erscheint lt. Verlag | 21.7.2023 |
---|---|
Vorwort | Nicholas Dicola |
Sprache | englisch |
Themenwelt | Informatik ► Netzwerke ► Sicherheit / Firewall |
Mathematik / Informatik ► Informatik ► Theorie / Studium | |
ISBN-10 | 1-80323-931-X / 180323931X |
ISBN-13 | 978-1-80323-931-6 / 9781803239316 |
Haben Sie eine Frage zum Produkt? |
Digital Rights Management: ohne DRM
Dieses eBook enthält kein DRM oder Kopierschutz. Eine Weitergabe an Dritte ist jedoch rechtlich nicht zulässig, weil Sie beim Kauf nur die Rechte an der persönlichen Nutzung erwerben.
Dateiformat: EPUB (Electronic Publication)
EPUB ist ein offener Standard für eBooks und eignet sich besonders zur Darstellung von Belletristik und Sachbüchern. Der Fließtext wird dynamisch an die Display- und Schriftgröße angepasst. Auch für mobile Lesegeräte ist EPUB daher gut geeignet.
Systemvoraussetzungen:
PC/Mac: Mit einem PC oder Mac können Sie dieses eBook lesen. Sie benötigen dafür die kostenlose Software Adobe Digital Editions.
eReader: Dieses eBook kann mit (fast) allen eBook-Readern gelesen werden. Mit dem amazon-Kindle ist es aber nicht kompatibel.
Smartphone/Tablet: Egal ob Apple oder Android, dieses eBook können Sie lesen. Sie benötigen dafür eine kostenlose App.
Geräteliste und zusätzliche Hinweise
Buying eBooks from abroad
For tax law reasons we can sell eBooks just within Germany and Switzerland. Regrettably we cannot fulfill eBook-orders from other countries.
aus dem Bereich